Uncategorized —

Feds demand better online banking security by 2007

Recently, Microsoft announced two-factor identification support, the means by which a second method is used to confirm user identity, for Windows Vista. Now, the Federal Financial Institutions Examination Council (FFIEC) is offering guidance—a bureaucratic way of demanding something—to banks on tightening security for consumers online. Specifically, the use of single-factor authentication, a single password, is deemed inadequate for protection against identity theft.

Account fraud and identity theft are frequently the result of single-factor (e.g., ID/password) authentication exploitation. Where risk assessments indicate that the use of single-factor authentication is inadequate, financial institutions should implement multifactor authentication, layered security, or other controls reasonably calculated to mitigate those risks.

While the guidance document lists a number of layered security possibilities for "informational purposes" only, at least one sounds kind of scary. The document (PDF) includes:

Shared secrets are security questions, such as "your favorite pet" or "your mother's maiden name," and are already implemented by many institutions. However, the report points out that "static" shared secrets represent a risk of compromise over time, and thus should be changed frequently. Multiple shared secrets are also suggested.

Tokens are physical devices that complement password security. These include Smart Cards, such as credit cards that include microprocessors and that must be used in conjunction with a reader. USB Tokens are key sized devices that plug into a USB port, devices that once recognized prompt for a password. Password-Generating Tokens, also known as one-time passwords (OTP), eliminate the risk involved with consecutive uses of passwords. The OTP Token is a display that shows an OTP after the user enters their name and regular password online.

Biometrics include fingerprint, voice, and face recognition. However, it is questionable whether the technology for such devices has transitioned from RSN to the real world, or will anytime soon.

Out-of-Band Authentication refers to verification of identity through a channel outside the purview of the password process. As an example, a message could be sent by e-mail to the user requiring response. It also includes Internet Protocol Address (IPA) Location and Geo-Location. This is kind of a security fetish fantasy. In such a world, users would be "issued a unique IPA that was constantly maintained on an official register, authentication by IPA would simply be a matter of collecting IPAs and cross-referencing them to their owners."

That last one makes a person almost reflexively quote 1984 or something. Besides the obvious privacy issues with an IPA registry, or the technical problems associated with biometric technologies, there is the simple matter of cost. Aside from security questions, even if another particular technology was chosen, say Smart Cards, who will pay for a nationwide, or worldwide, implementation? Until the price tag of deploying and maintaining such a system far exceeds the cost of identity theft, it's unlikely financial institutions or consumers will want to foot the bill. Unless the government mandates it, and perhaps that's what everyone should be afraid of.